Discovering the Cause of Authentication Failures

Summary

We explored three different techniques to authenticate against Active Directory and ADAM. While we did not directly cover using the LogonUser API, that is also a valid option and it can be considered. Table 12.1 includes the four different choices, summarized by platform and version of .NET.

Table 12.1. Authentication Options Matrix

Operating System

.NET Version 2.0

.NET Version 1.1

Windows 2000

SSPI[a]

SDS

SDS.p

SDS

Windows 2003/XP ADAM

SDS.P

SDS

SDS

Windows 2003

SSPI[a]

SDS

SDS.P

LogonUser[a]

LogonUser[a]

SDS

[a] Runs on client, not server.

We can make a couple of observations from this table. First, SDS.P is probably going to be our most compatible and perhaps best-performing choice across all platforms with version 2.0. However, the performance depends a bit on whether fast concurrent binding will be supported on our client and server. Regardless, it is a pretty good choice.

For version 1.1, we can see that only SDS is universal across all the platforms. The biggest problem, of course, is that this solution does not scale well. For small applications, SDS will be fine using version 1.1. Larger applications will need to consider writing a custom SSPI solution using managed C++ for Active Directory, or perhaps a native LDAP component for ADAM. Since these two options would be significantly more difficult, we do not show them as an option in Table 12.1.

While LogonUser can also be used on Windows 2000 clients against any version of Active Directory, we do not recommend using it unless it is called from Windows 2003 or XP clients, because essentially it must run as SYSTEM if we are to use it on this platform. Keeping in mind the limitations based on platform (e.g., LogonUser) and version of framework (e.g., SDS.P), this chapter and Table 12.1 should give you some useful guidance on what authentication method is appropriate for your own application.